gzip - When should JavaScript NOT be gzipped? - Stack Overflow

admin管理员组

文章数量:1300005

I've noticed that some big-name sites serve JavaScript that is pressed and some that is not pressed, on the same page load.

I also read that JavaScript shouldn't be gzipped when served over https. To back this up, I noticed that when serving jQuery from Google's CDN they only serve it pressed from HTTP, but not from HTTPS.

e.g. the first is pressed; the second is not.

.2.0/jquery.min.js"
.2.0/jquery.min.js"

However, if you pull jQuery from the Microsoft CDN over https:

.mobile/1.3.2/jquery.mobile-1.3.2.min.js

it IS served pressed.

Examples of big sites that serve both pressed and unpressed on the same page load, regardless of HTTPS or not:

• — serves 19 pressed, 2 not.
• — serves 9 pressed, 1 not
• — serves 10 pressed, 6 not

So my question is: when should I gzip my JavaScript and when should I not?

Note, the question at Can you use gzip over SSL? And Connection: Keep-Alive headers is somewhat similar, in that the answers there explain under what circumstances pression should NOT be used under HTTPS. However, that's only half my question — some HTTP (not HTTPS) sites also press some but not all of their javascript resources e.g. the Stackoverflow example mentioned above.

I've noticed that some big-name sites serve JavaScript that is pressed and some that is not pressed, on the same page load.

I also read that JavaScript shouldn't be gzipped when served over https. To back this up, I noticed that when serving jQuery from Google's CDN they only serve it pressed from HTTP, but not from HTTPS.

e.g. the first is pressed; the second is not.

http://ajax.googleapis./ajax/libs/jquery/2.2.0/jquery.min.js"
https://ajax.googleapis./ajax/libs/jquery/2.2.0/jquery.min.js"

However, if you pull jQuery from the Microsoft CDN over https:

https://ajax.aspnetcdn./ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js

it IS served pressed.

Examples of big sites that serve both pressed and unpressed on the same page load, regardless of HTTPS or not:

• https://wordpress. — serves 19 pressed, 2 not.
• http://stackoverflow. — serves 9 pressed, 1 not
• https://www.microsoft. — serves 10 pressed, 6 not

So my question is: when should I gzip my JavaScript and when should I not?

Note, the question at Can you use gzip over SSL? And Connection: Keep-Alive headers is somewhat similar, in that the answers there explain under what circumstances pression should NOT be used under HTTPS. However, that's only half my question — some HTTP (not HTTPS) sites also press some but not all of their javascript resources e.g. the Stackoverflow example mentioned above.

• javascript
• gzip

Share Improve this question Follow edited May 23, 2017 at 10:29 CommunityBot 111 silver badge asked Jan 27, 2016 at 1:04 jeff-hjeff-h 2,63911 gold badge2626 silver badges3939 bronze badges 9

• 1 The things mentioned have to do with transferring secure content. A lot of javascript isn't considered secure (ie. it's something anyone can get by just visiting the page), and thus not worthy of concern. However, if you are serving secure content (ie. a json payload with identifiable information), then you should not gzip it. – willaien Commented Jan 27, 2016 at 1:08
• @willaien any idea what implications would be when it is gzip'd? – charlietfl Commented Jan 27, 2016 at 1:09
• I believe it should not be gzipped over https when you need to support IE6. I don't remember where I read that so I'll leave this as ment rather than an answer. – slebetman Commented Jan 27, 2016 at 1:10
• @charlietfl According to the wikipedia article, and a tiny bit of research, it appears that there are ways to glean a bit of information about what's been sent if the data is pressed. That said, if you're already minifying, gzipping doesn't offer much extra pression. If you're burning through enough bandwidth to care, you're asking the wrong crowd. – willaien Commented Jan 27, 2016 at 1:11
• It should be noted that, if the javascript payload is being served on the same domain name (regardless of server) that does handle sensitive information, all pression should be turned off for that domain, if any of the data is held clientside via cookies. – willaien Commented Jan 27, 2016 at 1:15

 |  Show 4 more ments

1 Answer 1

Sorted by: Reset to default 8

Initially I thought that it has something to do with old browser support as indeed IE6 and Netscape4 had bugs when handling pressed js files. But that had nothing to do with HTTPS. It was pression itself and server config files have long had conditional settings to not press js files if an older browser is detected.

After some googling, it turns out that the issue is not with js. It is with HTTPS. You should not serve gzipped content over HTTPS/SPDY/HTTP2. There are two attacks that are possible when you serve gzipped content over HTTPS: CRIME and BREACH.

Both CRIME and BREACH attacks make use of the fact that gzipping data reduce their size in statistically predictable ways. Both attacks are able to extract cookies which, depending on how your site works, allows an attacker to login to user accounts.

So from your observation we can conclude that the google CDN is correctly configured.

However, do note how both attacks work: their ultimate aim is session hijacking. If you're downloading a js/css/gif file from a Microsoft server then your browser won't be sending your site's cookies along with the request (same-origin policy). So Microsoft can be forgiven for serving pressed js files on HTTPS.

Which means that you can serve pressed files over HTTPS! You just need to make sure those files e from a different domain to prevent CRIME and BREACH attacks from stealing your cookies.

本文标签： gzipWhen should JavaScript NOT be gzippedStack Overflow